Microsoft sees spike in attacks targeting 0day Windows bug The number of malicious attacks exploiting an unpatched vulnerability in older versions of Windows has mushroomed over the past week, prompting Microsoft to warn customers to deploy countermeasures until an update is released. Microsoft said on Wednesday that its security team has detected more than 10,000 distinct computers …
A 0-day exploit is an exploit that has just been discovered and, as a direct consequence, has not yet received a correction or workaround.
Sure, it is best to exploit it on the first day of discovery, but until a patch is out, it is still a valid exploit.
And, with Microsoft, it can be a valid exploit for years.
Immediate full disclosure can cause problems, as in this case. But companies often need a bit of prodding before they take action. Neither extreme of disclosure is always appropriate. I think the best approach is to initially only notify the software developer, and give them a reasonable amount of time to respond.
If they don't, publicize that the vulnerability exists, but not all the details of how to exploit it. If this still doesn't trigger any action, disclose the full details.
Hopefully, the developer will address the issue promptly. Once a fix has been released, then disclose everything. This will pose a negligible risk to anyone who keeps their systems up-to-date, and still satisfy the principle of openness.
is that its all well and good Microsoft saying that they've published an advisory about this and given details of how to work round it (hacking the registry is one of the ways) but the average user who is going to get caught out by this is going to be a home PC user and how many of those do you know who read the security bulletins.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
